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(54) Method for securing communication over a network medium 



(57) Pre- authentication information of devices 
(310,320) is used to securely authenticate arbitrary 
peer-to-peer ad-hoc interactions. In one embodiment, 



public key cryptography is used in the main wireless link 
(340) with location-limited channels (330) being initially 
used to pre-authenticate devices. 
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Description 

[0001] Network communications have enabled users 
to receive information, such as documents, over the net- 
work medium. The network medium includes wired net- 
works and wireless networks. Information transmitted 
over the network medium may be accessible to others. 
However, users typically desire that such information re- 
ceived not be available to others. 
[0002] In one known example, the user wants to print 
a sensitive document that the user just received on the 
user's wireless device. 

[0003] To do this, the user needs to let the wireless 
device know how to find the first printer over a wireless 
medium, such as a wireless network. Conventionally, 
there are few options user may use to find the first print- 
er. Assuming each printer has a unique name, the user 
may type the name of the first printer into the user's wire- 
less device. Alternatively, the user may have access to 
a discovery protocol, where the user may pick the first 
printer out of a list of printers. But the wireless device 
should guarantee that it is actually talking to the first 
printer and that the communication is secure. 
[0004] If the first printer has a certificate issued by a 
trusted authority the wireless device may perform a key 
exchange with the first printer and establish an authen- 
ticated and secret channel with the first printer. Howev- 
er, several problems are associated with this approach. 
For instance, an immense public key infrastructure may 
be required and every printer, including potential partic- 
ipants of the public key infrastructure, may require a 
unique name with a certificate being issued by the trust- 
ed authority. This is typically very expensive. Further, an 
immense public key infrastructure may not be practical. 
[0005] Another method may be to use an out-of- band 
mechanism for establishing security. Frank Stajano et 
al., "Resurrecting Duckling: Security Issues for Ad-hoc 
Wireless Networks," 7 th International Workshop, Lec- 
ture Notes in Computer Science, Cambridge, United 
Kingdom, April 1999, Springer- Verlag, Berlin, Germany, 
describes a security model usable to regulate secure 
transient association between devices in ad-hoc wire- 
less networks. 

[0006] In accordance with the present invention, a 
method for securing a communication over a network 
medium between at least two devices comprises trans- 
mitting pre-authentication information from a first device 
to a second device over a location-limited channel; and 
using the pre-authentication information secured 
by the second device to authenticate the communication 
from the first device. 

[0007] This invention provides systems and methods 
that allow a communication between a plurality of devic- 
es to be secured. 

[0008] Location-limited communication channels are 
used to transmit the pre-authentication information be- 
tween the plurality of devices. 

[0009] In various exemplary embodiments, a software 



2 

framework that supports inclusion of different location- 
limited channel types, public key algorithms used forthe 
key exchange protocols and the final key exchange pro- 
tocols chosen, and allows these to be dynamically cho- 
5 sen , can be used. The framework can be extended, to 
provide a new location-limited channel type, or a new 
key exchange protocol for example, by implementing a 
Java™ interface to provide a small amount of syntactic 
"glue". 

w [001 0] The framework provides both client and server 
components, and allows developers to choose from ei- 
ther low-level, step-by-step control over data exchange, 
or to use simpler, higher-level interfaces. Such interfac- 
es, for instance, provide server threads that can manage 
'5 pre-authentication of multiple clients over the location- 
limited channel, and offer control over how such pre-au- 
thentication information is used to authenticate those cli- 
ents over the wireless link. Framework components 
maintain state tracking regarding which devices have 
20 currently pre-authenticated, what keying information is 
currently in use by a particular device, and the like. 
[0011] In various exemplary embodiments, a system 
comprises a client, which is the initiator of the authenti- 
cated channel, and a responding server. The server lis- 
25 tens for a connection on both the location-limited chan- 
nel and the primary link, but only admits primary-link 
connections from clients who have performed pre-au- 
thentication on the location-limited channel. 
[0012] In various exemplary embodiments, the com- 
30 mercially-available Infra-red Data Association (IrDA) 
system can be used as a medium forthe location-limited 
channel. The client opens an IrDA connection to the 
server, and generates an error if it discovers more than 
one potential IrDA endpoint. Across this connection, the 
35 client and the server exchange pre-authentication data 
such as, for example, XML-encoded pre-authentication 
data, containing pre-authentication information, such 
as, for example, a commitment to an ephemeral Digital 
Signature Algorithm (DSA) public key, a "friendly name", 
40 and an IP address and a port on which the server is lis- 
tening. 

[0013] With the pre-authentication complete, the IR 
channel is closed, and the client extracts the server's IP 
address and port number from the data it received. The 
45 client opens a normal SSL/TLS connection to the server 
on the primary link. Each side uses the information 
gained in the pre-authentication step, i.e., the commit- 
ments to the public keys, to authenticate the newly 
opened channel. The client and server are now free to 
50 securely exchange any information they choose over 
the primary link. 

[0014] These and other features and advantages of 
the invention are described in, or are apparent from, the 
following detailed description of various exemplary em- 
55 bodiments of the systems and methods according to this 
invention. 

Fig. 1 illustrates an example of a communication au- 
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thenticating system according to this invention; 
Fig. 2 illustrates an example of a wireless device 
according to this invention; 
Fig. 3 is a flowchart of a method for authenticating 
communication over a wireless medium; 5 
Figs. 4-6 is another flowchart of a method for au- 
thenticating communication over a wireless medi- 
um; 

Figs. 7-9 illustrate a communication authenticating 
system for a group of devices; 
Fig. 1 0 is a flowchart of a method for authenticating 
communication over a wireless medium; and 
Fig. 11 is another flowchart of a method for authen- 
ticating communication over a wireless medium. 

[0015] According to this invention, pre-authenticating 
a number of wireless devices is used to securely au- 
thenticate arbitrary peer-to-peer ad-hoc interactions. 
This may include a bootstrap to a key exchange protocol 
that is used to set up an encrypted channel. A public key 
is committed to on the pre-authentication channel. A key 
exchange protocol using public key cryptography is 
used in the main wireless link to establish secure com- 
munications. Due to pre-authenticating the wireless de- 
vices using public keys, the types of media usable as 
location-limited channels do not need to be immune to 
eavesdropping and can include, for example, audio and/ 
or infra-red channels. Pre-authenticating the wireless 
devices using public keys allows a range of public-key- 
base key exchange protocols which can authenticate 
wireless devices to be used. 

[0016] Fig. 1 illustrates one exemplary embodiment 
of a wireless system 300. Only two wireless devices 31 0 
and 320 are shown. However, the system 300 is capable 
of including more than two wireless devices. The first 
wireless device 310 includes a location-limited channel 
receiver/transmitter 31 2 and a main wireless link receiv- 
er/transmitter 31 4. Likewise, the second wireless device 
320 includes a location -limited channel receiver/trans- 
mitter 322 and a main wireless link receiver/transmitter 
324. In an alternative embodiment, the first and second 
wireless devices each has a main wired link receiver/ 
transmitter, such as Transport Control Protocol/ Internet 
Protocol (TCP/IP) sockets or any other known or later 
developed wired network receivers/transmitter. In an- 
other embodiment, the first and second wireless devices 
have both a main wireless link and a main wired link. 
[001 7] If the first wireless device 3 1 0 in itiate commu- 
nication with the second wireless device 320, the first 
wireless device 310 initially sends pre-authentication in- 
formation through the location-limited channel receiver/ 
transmitter 312 to the second wireless device 320 via 
the location-limited channel 330. The second wireless 
device 320 receives the pre-authentication information 
from the first wireless device 31 0 through the location- 
limited channel receiver/transmitter 322. 
[0018] Where mutual authentication is not required, 
the first wireless device 31 0 does not need to send pre- 



authentication information to the second wireless device 
320. A wireless device that does not mutually exchange 
pre-authentication information with another wireless de- 
vice cannot authenticate the communication received 
from the other wireless device. Thus, that wireless de- 
vice is unprotected against attacks by an eavesdropper. 
Thus, where mutual authentication is required, such as 
an exchange of sensitive information between two wire- 
less devices, the second wireless device 320 responds 
by sending additional pre-authentication information 
through the location-limited channel receiver/transmit- 
ter 322 to the wireless device 31 0 via the location-limited 
channel 330. 

[001 9] The first wireless device 31 0 receives the pre- 
authentication information through its location-limited 
channel receiver/transmitter 312. With the pre-authen- 
tication information exchanged between the first and 
second wireless device 310 and 320, the first wireless 
device 310 uses the main wireless link receiver/trans- 
mitter 31 4 to communicate with the second wireless de- 
vice 320 via the main wireless link 340. The second wire- 
less device 320 uses its main wireless link receiver/ 
transmitter 324 to communicate with the first wireless 
device 31 0 via the main wireless link 340. Because pre- 
authentication information has been exchanged be- 
tween the two wireless devices 310 and 320 in both di- 
rections, each of the first and second wireless devices 
310 and 320 authenticates the communication of the 
other wireless device 320 and 310, respectively, using 
the received pre-authentication information received 
from that other wireless device 320 or 31 0, respectively. 
[0020] Fig. 2 illustrates one exemplary embodiment 
of a wireless device 400. The wireless device 400 may 
be a Personal Digital Assistant (PDA), a laptop compu- 
ter with wireless capability, a wireless hand held com- 
puter, a Blackberry™ device, a printer with wireless ca- 
pability, a wireless phone and the like. The wireless de- 
vice 400 includes a processor 410, a memory 420, an 
input/output (I/O) interface 430, a location-limited chan- 
nel receiver/transmitter 442 and a main wireless link re- 
ceiver/transmitter 444. 

[0021] The memory 420 stores an operating system 
422, a wireless application 424, an authentication appli- 
cation 426 and an authenticator428. The operating sys- 
tem 422 provides the computer instructions which, when 
executed by the processor 410, programs and controls 
various I/O controllers including the I/O interface 430 of 
the wireless device 400. The operating system 422 pro- 
vides instructions that stores the wireless application 
424, the authentication application 426 and the authen- 
ticator428 in a retrievable manner. 
[0022] The wireless application 424 provides instruc- 
tions that, allows the wireless device 400 to communi- 
cate with a wireless network through the main wireless 
link receiver/transmitter 444 connected to a main wire- 
less link interface 434 of the I/O interface 430. The wire- 
less application 424 may be Bluetooth™, ANSI/IEEE 
802.11, and the like. 



15 



20 



25 



30 



35 



40 



45 



50 



3 



5 



EP 1 335 563 A2 



6 



[0023] A wireless receiver/transmitter and interface 
used in a wireless network can be used as the main wire- 
less link interface 434 and the main wireless link receiv- 
er/transmitter 444. In an alternative embodiment, the 
wireless device has main wired link interface and main 
wireless link receiver/transmitter such as TCP/IP inter- 
face and socket or both the main wireless link interface 
and transmitter, and main wired interface and receiver/ 
transmitter. 

[0024] The location-limited channel receiver/transmit- 
ter 442 may be separate from the main wireless link re- 
ceiver/transmitter 444. A suitable location-limited chan- 
nel receiver/transmitter 442 has at least two properties 
in order to send and receive pre-authentication informa- 
tion of the wireless devices. The first such property is a 
demonstrative property. A suitable location-limited 
channel receiver/transmitter 442 has physical limita- 
tions in its transmissions. For example, sound, whether 
in the audible and/or in the ultrasonic range, which has 
a limited transmission range and broadcast character- 
istics, may be used as a location-limited channel for a 
group of wireless devices. For point-to-point communi- 
cation, such as between two wireless devices, a loca- 
tion-limited channel with directionality, such as an infra- 
red channel may be used. The demonstrative property 
allows for communication across a location-limited 
channel to "name" a target device or group of devices 
based on the physical relationships between the devic- 
es and the limited locations accessible through the lo- 
cation -limited channel. 

[0025] The second property is authenticity. This prop- 
erty ensures that pre-authentication information ex- 
changed over the location-limited channel allows the ex- 
changing wireless devices to securely authenticate 
each other over the main wireless link, even in the pres- 
ence of eavesdroppers. If the participants use the loca- 
tion-limited channel to exchange their public keys as 
pre-authentication information, an attack by an eaves- 
dropper on location-limited channel does not matter be- 
cause the eavesdropper does not know the participants' 
private keys. The participants will authenticate each oth- 
er over the main wireless link by proving possession of 
their corresponding private keys as part of a key ex- 
change protocol. Thus, the eavesdropper will not be 
able to impersonate any of the participants. 
[0026] Another property of a location-limited channel 
receiver/transmitter is that the location-limited channel 
is difficult to attack without the attack being detected by 
at least one legitimate participant (human or device). 
These include a receiver/transmitter that uses infra-red, 
sound, whether audio and/or ultrasound, and/or near- 
field signaling across the body. 
[0027] Detecting the attack may not require that the 
devices transmitting on the location-limited channel be 
identified. Instead, for example, detecting the attack 
may merely depend on one's ability to count. Thus, if 
two wireless devices are attempting to communicate, 
and the communication is successful, as indicated, for 



example, by the lights on the target device blinking, or 
by the human that is using a laptop computer indicating 
that the communication was successful, then the . 
number of legitimate participants are known. If extra, il- 

5 legitimate, participants are detected, for example, bythe 
laptop indicating that a third participant has joined the 
communication, the communication may simply be 
aborted by the legitimate participants. 
[0028] The pre-authentication information is used to 

10 authenticate the received authenticator 428. The au- 
thenticator 428 may be a key, a secret, or the like. The 
key may be either a long-lived key or an ephemeral key. 
The choice is usually based on the application in which 
the key is being used. In either case, the key does not 

15 require certification by a trusted authority. However, if 
the key exchange protocol chosen requires an ex- 
change of certificates, the certificate may be self -signed 
by the wireless device 400. 

[0029] Usually, the amount of information exchanged 
20 across the location-limited channel is a small fraction of 
the amount of information sent across the main wireless 
link. One method of reducing the size of the pre-authen- 
tication information is to use cryptographically-secure 
hash functions, such as, for example, Secure Hash Al- 
25 gorithm-1 (SHA-1 ). Using this method, the participants 
need not actually exchange their complete public keys 
as pre-authentication information. Instead the partici- 
pants send commitments of the keys, for example, by 
exchanging digests of the keys. The participants ex- 
30 change commitments to their public keys across a cho- 
sen location-limited channel. In doing so, each partici- 
pant is able to identify whom that participant is commu- 
nicating with. 

[0030] The wireless device 400 communicates with 

35 another wireless device using the main wireless link re- 
ceiver/transmitter 444. The wireless device 400 uses 
the authentication application 426, which may include 
various established public-key-based key exchange 
protocol, such as the commercially available Secure 

40 Socket Layer/ Transport Layer Security (SSUTLS), Se- 
cure Key Exchange Mechanism (SKEME), Internet Key 
Exchange (IKE) and the like, to prove possession of the 
private key, which corresponds to the public key com- 
mitted during the pre-authentication information ex- 

45 change. In the case, where a digest of the public key 
was sent during the pre-authentication information ex- 
change, the wireless device 400 exchanges the com- 
plete public key over the main wireless link. The key ex- 
change may either be prefixed to protocol execution, or, 

50 as in Socket Layer/ Transport Layer Security (SSL/TLS), 
occurs naturally as a standard part of the key exchange 
protocol. The keys are authenticated by the fact that 
they were the ones committed to across the location- 
limited channel. The wireless device 400, having au- 

55 thenticated the other wireless device's public keys, pro- 
ceed with the exchange protocol on the main wireless 
link. 

[0031] Fig. 3 is a flowchart outlining one method for 
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authenticating a communication over a network medi- 
um. The first wireless device contains a first public key 
PK V The second wireless device contains a second 
public key PK 2 . Beginning in step S100, operation con- 
tinues to step S1 1 0, where first wireless device sends a 5 
commitment to the public key PK 1 using a location-lim- 
ited channel to a second wireless device. This is at least 
a part of the exchange of pre-authentication information 
over the location-limited channel. The commitment can 
be the public key itself, a certificate, or a digest of the 
public key. Then, in step S120, in response to receiving 
the commitment to the public key PK 1 from the first wire- 
less device, the second wireless device sends a com- 
mitment to the public key PK 2 over the location-limited 
channel, which is received by the first wireless device. 
At this stage, the first wireless device may also receive 
the address of the second wireless device to provide for 
communication over the main wireless link. 
[0032] In step S130, the first wireless device sends 
the public key PK 1 to the second wireless device using 
the wireless main link. In step S 140, the second wireless 
device sends its public key PK 2 to the first wireless de- 
vice and the exchange of keys take place. In step S150, 
the first wireless device authenticates the public key PK 2 
received from the second wireless device and compares 
the public key PK 2 against the commitment received in 
the pre-authentication information stage. In one embod- 
iment, the authentication of the received public key PK 2 
is performed using a key exchange protocol, such as 
those illustrated in Fig. 2, that proves ownership of a 
private key corresponding to the public key. In the event 
that the second wireless device is using a secret S 2 
when the first wireless device sends its public key PK^ 
across the wireless main linkthe second wireless device 
verifies the public key PK., against the commitment, and 
uses it to encrypt its secret S 2 and returns the result 
EPK 1 (S 2 ) to the first wireless device. Authentication is 
performed by the second wireless device's ability to pro- 
duce the secret S 2 , and the first wireless device's ability 
to decrypt the result EPK 1 (S 2 ). 
[0033] In step S160, a determination is made whether 
the commitment for the public key PK 2 previously re- 
ceived from the second wireless device matches the re- 
ceived public key PK 2 . If so, operation continues to step 
S1 70. Otherwise, operation jumps to step S1 80. in step 
S170, the first wireless device resumes communication 
with the second wireless device over the main wireless 
link using the symmetric key agreed upon during the key 
exchange protocol to encrypt the communication. Op- 
eration then jumps to step S190. In contrast, in step 
S1 80, if the first wireless device cannot authenticate the 
public key PK 2 of the second wireless device the first 
wireless device terminates the communication with the 
second wireless device. Operation then continues to 
step S190, where the method ends. 
[0034] It should be appreciated that in various exem- 
plary embodiments, the first wireless device includes an 
arbitrary secret such as a random number. In this 



case, because the first wireless device is sending a 
commitment to the arbitrary secret the commitment 
is sent in a form of a cryptographic digest h (S^ because 
S 1 is to remain a secret. In various other exemplary em- 
bodiments, the first wireless device may also transmit 
its address, such as an IP address and port number, a 
Bluetooth device address, a user-friendly name or any 
other appropriate information to provide for communi- 
cation at the main wireless link. 
[0035] Figs. 4-6 are a flowchart outlining one exem- 
plary embodiment of a method that complements an im- 
proved Guy Fawkes protocol that provides for interac- 
tive communication. This method may be used where 
the wireless devices have limited computational re- 
sources, such that public key operations are infeasible, 
and the location-limited channel does not provide a 
trusted exchange of secret data. 
[0036] An example of a conventional Guy Fawkes 
protocol is described in Anderson et al., "A New Family 
of Authentication Protocols", ACMOSR: ACM Operating 
Systems Review, 32, 1998. Initially designed for authen- 
ticating digital streams the Guy Fawkes protocol as- 
sumes that parties A and B want to exchange streams, 
comprising sequential blocks Aq.A^A^ ... and B 0 ,B 1( 
Bg, ... respectively. At each step i, A sends to B a packet 
Pj containing 4 pieces of data: a block A ( ; a random value 
Xj, used as an authenticatorfor the block Aj; the digest 
X i+1 h(Xj+1 ) of the next authenticator; and the n(apt-1 ) di- 
gest of the message a, +1 = n (A i+1 ,h(X, +2 ),X, +1 )'\ B does 
the same during that step i. Assuming that B received 
an authenticated packet P. B authenticates the packet 
Pi as soon as B receives it, because the packet Pi con- 
tained the digest n(a M ). It should be appreciated that 
this does not hold if A and B do not execute in lock-step. 
Thus, this protocol requires both A and B to know, one 
step ahead of time, what they want to say next, which 
makes the protocol unsuitable for interactive exchang- 
es. 

[0037] As shown in Figs. 4-6, operation begins in step 
S200 and continues to step S205, where a counter N is 
set to 1 . In step S21 0, a first wireless device sends an 
communication that includes a digest of its secret 
(authenticator) that will be used to authenticate its N th 
message together with a digest of its N th message over 
a location-limited channel to a second wireless device. 
In step S21 5, the second wireless device sends an N th 
communication that includes a digest of its N lh secret 
that will be used to authenticate its N th message togeth- 
er with a digest of its N th message over the location- 
limited channel to the first wireless device. 
[0038] In step S220 the first wireless device sends a 
digest of the N m communication of the second wireless 
device and the first wireless device's N th secret to the 
second wireless device. In step 225, the second wire- 
less device sends a digest of the N^ 1 communication of 
the first wireless device and the second device's N th se- 
cret to the first wireless device. In step S230, a determi- 
nation is made by one or both of the first and second 
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wireless devices whether to terminate the communica- 
tion. If either of the first wireless device or the second 
wireless device determines to terminate the communi- 
cation, operation proceeds to step S320. Otherwise, the 
communication continues and operation continues to 
step S235. 

[0039] In step S235, the first wireless device contin- 
ues the communication over a main wireless link. As the 
initiator of the communication, the first wireless device 
sends an N th message which is meaningful, and a digest 
of its (N+1) th secret that will be used to authenticate its 
(N+l)** 1 message together with an (N+1) th communica- 
tion that includes a digest of the (N-M ) th message to the 
second wireless device. In step S240, the second wire- 
less device sends an N th message which is meaning- 
less, and a digest of its (N+1 ) th secret that will be used 
to authenticate its (N+1) th message together with an 
(N+1)* communication that includes a digest of the 
(N+1) th message to the first wireless device. The N th 
message of the second wireless device is meaningless 
because the N th message was committed to in step 
S215, when the second wireless device did not know 
the N th message of the first wireless device that was 
transmitted in step S21 0. At this point, either of the wire- 
less device can terminate the communication. Accord- 
ingly, in step S245, a determination is made by one or 
both of the first and second wireless devices whether to 
terminate the communication. In either of the first wire- 
less device or the second wireless device'determines to 
terminate the communication, operation proceeds to 
step S320. Otherwise, the communication continues 
and operation continues to step S250. 
[0040] In step S250, the first wireless device sends a 
digest of the second wireless device's (N+1) th commu- 
nication and the first wireless device's (N+1) th secret to 
the second wireless device. In step S255 the second 
wireless device sends a digest of the first wireless de- 
vice's (N+l)* 1 communication and the second device's 
(N+1) th secret to the first wireless device. 
[0041] In step S260, the first wireless device sends 
an (N+1) th message which is meaningless, and a digest 
of its (N+2) th secret that will be used to authenticate its 
(N+2) m message togetherwith a (N+2) th communication 
that includes a digest of the (N+2) th message to the sec- 
ond wireless device. The (N+1) th message of the first 
wireless device is meaningless because it is the second 
wireless device's turn to send a message which is mean- 
ingful. In step S265, the second wireless device sends 
an (N+1) th message which is meaningful, and a digest 
of its (N+2) th secret that will be used to authenticate its 
(N+2) th message together with a (N+2) th communication 
that includes a digest of the (N+2) th message to the first 
wireless device. The second wireless device sends the 
message that is meaningful due to the commitment 
made in step S240 after the second wireless device 
learned of the N th message of the first wireless device 
that was meaningful. In step S270, a determination is 
made by one or both of the first and second wireless 



devices whether to terminate the communication. In ei- 
ther of the first wireless device or the second wireless 
device determines to terminate the communication, op- 
eration proceeds to step S320. Otherwise, the continues 

5 operation and continues to step S275. 

[0042] In step S275, the first wireless device sends a 
digest of the second wireless device's (N+2) th commu- 
nication and the first device's (N+2) th secret to the sec- 
ond wireless device. Next in step S280, the second wire- 

io less device sends a digest of the first wireless device's 
(N+2) th communication and the second device's (N+2) th 
secret to the first wireless device. In step S285, the first 
wireless device sends an (N+2) th message that is mean- 
ingless, and a digest of its (N+3) m secret that will be 

is used to authenticate its (N+S)* message together with 
a (N+3) th communication that includes a digest of the 
(N+3) th message to the second wireless device. The 
(N+2) th message is meaningless because the first wire- 
less device was committed in step S260 when the first 

20 wireless device had not received the (N+1) m message 
of the second wireless device that was meaningful. 
However, the first wireless device can commit to the 
(N+3) th message that is meaningful because the first 
wireless device had the (N+1) th message from the sec- 

25 ond wireless device in step S265 that was meaningful. 
[0043] In step S290, the second wireless device 
sends an (N+2) th message that is meaningless, and a 
digest of its (N+3) th secret that will be used to authenti- 
cate its (N+3) th message together with a (N+3)* com- 

30 munication including a digest of the (N+3) th message to 
the first wireless device. The (N+2) th message of the 
second wireless device is meaningless because the 
next turn to "talk" belongs to the first wireless device. 
Again, at this point, either of the wireless devices can 

35 terminate the communication. Accordingly, in step 
S295, a determination is made by one or both of the first 
wireless device and the second wireless device whether 
to terminate the communication . If either of the first wire- 
less device or the second wireless device determines to 

40 terminate the communication, operation jumps to step 
S320. Otherwise, the communication continues and op- 
eration continues to step S300. 
[0044] In step S300, the first wireless device sends a 
digest of the second wireless device's (N+3) th commu- 

45 nication and the first device's (N+3) th secret to the sec- 
ond wireless device. In step S305, the second wireless 
device sends a digest of the first wireless device's 
(N+3) th communication and the second device's (N+3) th 
secret to the first wireless device. In step S31 0, the con- 

50 troller N is incremented by 4. Operation then returns to 
step S235. In contrast, in step S320 operation of the 
method ends. 

[0045] It should be appreciated that there are appli- 
cations for which mutual authentication is not required. 
55 For instance, a device designed to provide a service to 
anyone that requests the service does not need to au- 
thenticate the device with which it is communicating, 
and therefore may be the only one to send pre-authen- 
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tication information. Such a device may have, for exam- 
ple, a passive beacon such as, for example, an Infra- 
red (IR) beacon or Radio frequency Identification (RFId) 
tag, sending pre-authentication information that is suffi- 
cient to uniquely and securely identify its active proxy in 
wireless space. Such an approach may be used to add 
a measure of security and authentication to systems that 
use such beacons to provide a "digital presence" for 
physical objects. 

[0046] Some of the location-limited channels de- 
scribed with respect to Fig. 4 have broadcast capability. 
Using such broadcast capabilities, protocols may be 
constructed that provide for authenticated group com- 
munication. Applications can include networked games 
and meeting support and/or conferencing software. 
[0047] Audio is a medium that may provide a broad- 
cast location-limited channel. Audio may be monitored 
and tracked by participants. Even if the participants in 
the exchange do not know what is carried in the audio 
messages, they can recognize the legitimate group par- 
ticipants that ought to be sending such audio messages. 
Audio may be incorporated into sounds that are already 
used by many pieces of software to provide feedback to 
participants. For example, most corporate conference 
call settings play a short "join tone" whenever a new par- 
ticipant enters a call. Such tones may be altered to also 
contain the participant's key information. Because des- 
ignated channels designed to carry audio and/or voice 
information already exists, audio as a location-limited 
channel may be used via the telephone network. 
[0048] Because using public key cryptography on lo- 
cation-limited channels means that those exchanges do 
not require secrecy, and thus are not vulnerable to 
eavesdropping, the broadcast characteristics of an au- 
dio channel may be used to pre-authenticate group 
communication. Each participant in the group commu- 
nication broadcasts that participant's pre-authentication 
information over the audio channel, which is heard by 
all other legitimate participants. The preauthorization in- 
formation will generally include a commitment to a public 
key. The broadcast may also be heard by attackers, but 
that poses no risk to the protocol's security unless those 
attackers also managed to broadcast their own pre-au- 
thentication information over the audio channel without 
detection by the legitimate participants, whether by hu- 
mans or by devices. Any attackers so attempting to 
broadcast the attacker's information to mount an active 
attack on the location-limited channel will usually be de- 
tected by the legitimate human or device participants, 
because there will be an "extra" broadcast. For exam- 
ple, in the case of audio, there will be a broadcast from 
an unexpected location. 

[0049] Legitimate participants proceed with known or 
later developed group key exchange protocol, where 
each participant proves, to one or more legitimate par- 
ticipants, that participant's possession of the private key 
corresponding to the public key committed to by the par- 
ticipant on the location-limited channel. Any participant 



capable of proving possession of the private key corre- 
sponding to one of the public keys so committed to is 
considered an authenticated participant in the group 
communication. Further, the chosen key exchange pro- 

5 tocol may also result in all participants sharing a number 
of additional keys that can be used for encrypting and/ 
or authenticating further communication between the 
participants of the group communication. 
[0050] Figs. 7-9 illustrates an exemplary setting for 

10 authenticating a communication over a network medium 
among a group of wireless devices. As shown in Fig. 7, 
one participant acts as the group manager 61 0. The first 
participant to send pre-authenticate information be- 
comes the group manager 610. Otherwise, a random 

15 participant is selected as the group manager. The group 
manager 610 broadcasts pre-authentication informa- 
tion, such as a commitment to a group public key, or its 
own public key, during a pre-authentication stage to var- 
ious legitimate participants 612, 614 and 616 over a 

20 broadcast location-limited channel. As shown in Fig. 7, 
other parties 622, 624 and 626 are present and have 
access to the wireless network. Any attempt to send on 
the location-limited channel results in the detection of 
the attempt, because the legitimate participants are usu- 

25 ally able to detect all transmissions on the location-lim- 
ited channel, and are able compare the number of such 
transmissions with the number of expected transmis- 
sions, i.e., the number of legitimate participants. 
[0051] As shown in Fig. 8, each participant 612, 614 

30 and 616 responds to the pre-authentication broadcast 
information from the group manager 61 0 by each broad- 
casting that participant's own pre-authentication infor- 
mation, each containing a commitment to that partici- 
pant's own public key, over the location-limited channel. 

35 These broadcasts are received by both the group man- 
ager 610 and the other legitimate participants 612,614 
and 616. After broadcasting that participant's pre-au- 
thentication information, each participant 612, 614, and 
616 in turn makes a point-to-point connection to the 

40 group manager 61 0.forexample, using the address pro- 
vided by the group manager 610 as part of the group 
manager's pre-authentication information. Each partic- 
ipant 612, 614, and 616 engages with the group man- 
ager 610 in a point-to-point key exchange protocol, such 

45 as, for example Socket Layer/Transport Layer Security 
(SSLTTLS). Using the protocol, the group manager 61 0 
gives each of the participants 612,614, and 616 a copy 
of a shared group encryption key or keys. These keys 
are used to encrypt and authenticate further communi- 

50 cation between all the participants, including the group 
manager 610 and the other participants 612, 614 and 
616. 

[0052] Because the parties 622, 624 and 626 did not 
broadcast their pre-authentication information on the lo- 
ss cation-limited channel, the group manager 61 0 does not 
recognize the parties 622, 624 and 626 as legitimate 
participants in the group communication. The parties 
622, 624 and 626, therefore, will not be able to success- 
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fully create point-to-point connections on the main wire- 
less link with the group manager, 610. This results in the 
parties 622, 624 and 626 not receiving the shared group 
key that would allow them to decrypt group communica- 
tions between the legitimate participants including the 
group manager 610 and all the other participants 612, 
614, and 616. 

[0053] Fig. 10 is a flowchart outlining a first exemplary 
embodiment of a method for authenticating a communi- 
cation over a network medium among a group of wire- 
less devices. 

Operation starts from step S400 to go to S41 0, where a 
group manager is selected for participants of the group. 
In step S420, the group manager broadcasts its pre-au- 
thentication information over a location-limited channel 
to the participants of the group. The pre-authentication 
information according to one embodiment may be a di- 
gest of a public key of the group manager. In step S430, 
each participant that receives the pre-authentication in- 
formation of the group manager reciprocates by sending 
its pre-authentication information to the group manager 
and the other participants. The exchange of the pre-au- 
thentication information between the participants, in- 
cluding the group manager, occurs as a broadcast over 
the location-limited channel. According to one embodi- 
ment, the pre-authentication information of a participant 
is a digest of a public key of that participant. 
[0054] In step S440, the group manager and each of 
the participants perform a point-to-point key exchange 
using the public keys corresponding to the digest of the 
public keys received during the pre-authentication 
stage, using any known or later-developed key ex- 
change protocol over the wireless link, for example. 
Such a protocol will also set up a point-to-point encrypt- 
ed and authenticated channel between the group man- 
ager and the current participants of the group. In step 
S450, the group manager may distribute to each partic- 
ipant over the wireless link a copy of a group key to be 
used as a shared session key. In step 460, operation of 
the authentication method ends, allowing for secure 
communication among participants of the group, includ- 
ing the group manager, to proceed. 
[0055] In a centrally-managed group, managing the 
joining and leaving of participants may be relatively 
easy. A joining participant may use one of the two-party 
protocols discussed above with the group manager 610 
to authenticate itself, and to receive the group key over 
a secured wireless link. When a participant leaves a 
group, the group manager 610 can distribute a new 
group key to all remaining participants over the wireless 
link. This may be done because the group manager 6 1 0 
has established shared secret keys with each individual 
participant of the group during the point-to-point key ex- 
change. 

[0056] Fig. 1 1 is a flowchart outlining another method 
for authenticating a communication over a network me- 
dium among a group of wireless devices. The method 
outlined in Fig. 11 allows all participants to equally par- 



ticipate in key generation, and thus all participants may 
be equally trusted. 

[0057] Operation begins in step S500 and continues 
to step S51 0, where each participant broadcasts its pre- 

5 authentication information, such as a commitment to a 
Diffie-Hellman public value, to the participants of the 
group using a broadcast location-limited channel. In 
step S520, each participant proceed with a chosen 
group key exchange protocol, where participants 

10 presenttheir complete Diffie-Hellman public values over 
a wireless network. The group key exchange protocol 
may be a modified Diffie-Hellman key exchange among 
participants of the group, which allows all participants to 
share in the generation of the group shared secret key. 

is [0058] Like the standard two-party Diffie-Hellman key 
exchange, while a secret may be established, the par- 
ticipants of the group are strangers. Thus, these proto- 
cols based on extending Diffie-Hellman assume that all 
participants participate in a shared public key infrastruc- 

20 ture, or have previously exchanged public keys. 

[0059] Because pre-authentication information ex- 
changed over the location-limited channels allows the 
participants to authenticate each other, this assumption 
is no longer necessary. The use of a broadcast location- 
's limited channel allows ail participants of the group to 
commit to their public keys publicly to one or more par- 
ticipants of the group. I n step S530, the participants may 
then proceed with the chosen group key exchange pro- 
tocol over the wireless link and, for example, use the 

30 presented complete Diffie-Hellman public values to de- 
rive a group key. Operation then continues to step S540, 
where operation of the authentication method ends, al- 
lowing secure communication to proceed. 
[0060] A participant who joins in after a session has 

35 started may broadcast that participant's key commit- 
ment over the location-limited channel to the rest of the 
participants of the group as that participant joins. A ran- 
domly selected current participant can respond, provid- 
ing mutual authentication. The chosen group key ex- 

40 change protocol is used to handle the details of updating 
the shared group key for these new participants, or re- 
voking keys of departing participants. 



45 Claims 

1. A method for securing a communication over a net- 
work medium between at least two devices, com- 
prising: 

50 

transmitting pre-authentication information 
from a first device to a second device over a 
location-limited channel; and 
using the pre-authentication information se- 
55 cured by the second device to authenticate the 

communication from the first device. 

2. The method of claim 1 , wherein transmitting the pre- 
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authentication information over a location-limited 
channel includes: 

sending a commitment including at least a com- 
mitment to a first secret and a commitment to 5 
a meaningful message from the first device to 
the second device; 

responding to the commitment from the first de- 
vice by sending a commitment including at least 
a commitment to a second secret and a com- 10 
mitment to a meaningless message from the 
second device to the first device; 
acknowledging receipt of the commitment of 
the second device by the first device; and 
acknowledging receipt of the commitment of '5 
the first device by the second device. 



group manager with respect to remaining ones 
of the other devices of the group; 
distributing new pre-authentication information 
by the group manager to the remaining devices 
in the group; 

using the distributed pre-authentication infor- 
mation by the group manager and the remain- 
ing ones of the devices of the group to authen- 
ticate the communication between the group 
manager and the remaining ones of the devices 
of the group. 

7. The method any of claims 3 to 6, fu rther comprising 
using the network medium to distribute a new group 
key information from the group manager to the re- 
maining ones of the devices of the group. 



A method according to claim 1 or claim 2, wherein 
the first and second devices form all or part of a 
group of devices, the method comprising: 



20 



A method according to claim 1 or claim 2, wherein 
the first and second devices form ail or part of a 
group of devices, the method comprising: 



designating at least one device of the group as 
a group manager; 

exchanging pre-authentication information be- 
tween the group manager and other devices of 25 
the group using a broadcast location-limited 
channel; and 

using the exchanged pre-authentication infor- 
mation secured by the group manager and the 
other devices to authenticate the communica- 30 
tion over the network medium. 

4. The method of claim 3, further comprising using the 
network medium to distribute a group key informa- 
tion from the group manager to the other devices in 35 
the group. 

5. The method of claim 3 or claim 4, further compris- 
ing: 

40 

receiving a new device into the group of devic- 
es; 

exchanging pre-authentication information be- 
tween the group manager and the new device 
using the broadcast location-limited channel; 45 
and. 

using the exchanged pre-authentication infor- 
mation secured by the group manager and the 
new device to authenticate the communication 
over the network medium between the group so 
manager, the group of devices and the new de- 
vice. 



exchanging pre-authentication information be- 
tween each device and other devices in the 
group over a broadcast location-limited chan- 
nel; and 

using the pre-authentication information of a 
selected device for communication that is se- 
cured by a communicating device to authenti- 
cate the communication over the network me- 
dium with the selected device. 

9. A method according to any of the preceding claims, 
wherein an infra-red or audio channel is used as the 
location-limited channel. 

10. A method accroding to any of the preceding claims 
wherein transmitting pre-authentication information 
includes sending a digest of an authenticator from 
one device to another device, the digest of the au- 
thenticator including one of a public key, a digest of 
the public key and a digest of a secret. 



6. The method of any of claims 3 to 5, wherein, when 
a device leaves the group of devices, the method 55 
further comprises: 

nullifying pre-authentication information of the 
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